Montana Public Radio reports
that New West Health Services is notifying 25,000 members after a
laptop with their PHI was stolen. Here’s the statement that was
posted on New West Medicare’s site today, with one interruption by
me for a short, but tasteful, rant:

New
West Health Services
d/b/a New West
Medicare has unfortunately learned of an incident
involving a company laptop computer that was stolen from an off-site
location. The computer contained electronic files with personal
information from past and present New West customers. The
computer was password protected, [Worthless
Bob] and there is no evidence to suggest that the
information stored on the laptop was the target of the theft or that
any customer information has been accessed or misused.

Reidenberg, Joel R. and Bhatia, Jaspreet and
Breaux, Travis and Norton, Thomas B., Automated Comparisons of
Ambiguity in Privacy Policies and the Impact of Regulation (January
9, 2016). Fordham Law Legal Studies Research Paper Forthcoming.
Available for download at SSRN: http://ssrn.com/abstract=2715164

“Website privacy policies often contain
ambiguous language that undermines the purpose and value of privacy
notices for site users. This paper compares the impact of different
regulatory models on the ambiguity of privacy policies in multiple
online sectors. First, the paper develops a theory of vague and
ambiguous terms. Next, the paper develops a scoring method to
compare the relative vagueness of different privacy policies. Then,
the theory and scoring are applied using natural language processing
to rate a set of policies. The ratings are compared against two
benchmarks to show whether government-mandated privacy disclosures
result in notices less ambiguous than those emerging from the market.
The methodology and technical tools can provide companies with
mechanisms to improve drafting, enable regulators to easily identify
poor privacy policies and empower regulators to more effectively
target enforcement actions.”

The National Security Agency has released its
Transparency
Report on the implementation of the USA Freedom Act — as well
as the minimization
procedures to be used for the new non-bulk telephone metadata
program — giving us a first glimpse of how the law’s reforms are
being cashed out in practice. There are some useful points of
clarification here — including one or two surprises — but also
many questions left unanswered.

There is political puffery and then there is
outright lying. Can Congress tell the difference?

FBI Director James Comey recently told
the Senate Judiciary Committee that encryption routinely poses a
problem for law enforcement. He stated that encryption
has “moved from being available [only] to the sophisticated bad guy
to being the default. So it’s now affecting every
criminal investigation that folks engage in.”

“The Freedom of Information Act established a
right for the public to access federal agency records. The statute
simply requires requesters to reasonably describe the records they
wish to receive and the agency is required to produce those records
in 20 working days. In practice, however, the FOIA process is much
more complicated and difficult to navigate. Many of the
complications are engineered into the process by the federal agencies
themselves. The FOIA process is broken. Unnecessary complications,
misapplication of the law, and extensive delays are common
occurrences. Agencies fail to articulate reasons for delays or
explain how to navigate the process. Requesters wait months, not
weeks, before receiving any response. Even a denial on a
technicality can be significantly delayed because the agency may fail
to read the request for months. Unreasonable requests for detail and
repeated ultimatums to respond within narrow windows or start all
over reinforce the perspective that the process is designed to keep
out all but the most persistent and experienced requesters.”

They're crazy, right? What constitutes
propaganda? The best propaganda is truth. ISIS is using Trump in
their marketing pitch because “Trump hates Muslims” is seems as
true. Will I be branded a terrorist for saying that?

The
lawsuit was brought by a plaintiffs’ class-action law firm on
behalf of the wife of a Florida defense contractor who was one of two
Americans killed in a shooting spree attack in Jordan last
November. It alleges that ISIS was responsible for the attack and
that Twitter helped contribute to the bloodshed by allowing the
terrorist group to use the site to spread propaganda, attract new
recruits and raise money.

Twitter
says the suit has no merit. “While we believe the lawsuit is
without merit, we are deeply saddened to hear of this family’s
terrible loss….. Violent threats and the promotion of terrorism
deserve no place on Twitter and, like other social networks, our
rules make that clear,” a Twitter spokesman said in a statement
Thursday.

The lawsuit “will be a very big deal if it
survives a motion to dismiss, but that is a very big if,” wrote
Brookings Institution fellow Benjamin Wittes and Harvard Law School
student Zoe Bedell in an
analysis of the complaint posted on Lawfare Blog,

This weekend Amazon is celebrating its Golden
Globe wins for the series Mozart in the Jungle with a price
drop on an annual Prime membership. Starting at 9 p.m. Pacific on
Friday and lasting until 11:59 p.m. local time on Sunday, Amazon is
selling an annual Prime subscription for $73—a $26 dollar price
cut.

… During the same time as Amazon is offering
the cheap Prime price, the retailer is allowing free streaming of
seasons one and two of Mozart in the Jungle for
everyone—not just Prime subscribers.

The following are interactive quiz game tools that
I've used with great success in my classroom and or in my workshops.

Kahoot:

This is the obvious one to include in this post as
it did inspire the post. Kahoot
provides a fun way to gather feedback from a group through their
phones, iPads, Chromebooks, or any other device that has a web
browser and an Internet connection. You can include pictures and or
videos as part of each question that you create and share in a Kahoot
activity. Players are awarded points for answering correctly and
quickly. Or you can turn off the points system to use Kahoot in a
non-competitive environment.

Socrative Space Race:

Socrative
is a free student response system that allows you to gather feedback
from students through any Internet-connected device. One of my
favorite aspects of Socrative is the variety of ways in which you can
pose prompts and questions to your students. The Space Race feature
has been a hit everywhere that I've shown it over the years. The
Space Race feature allows you to create virtual teams for answering
questions or prompts. The screen students see masks their
classmates' names, but as the teacher you can see your students'
names and download a report of students' responses.

Quizalize:

Quizalize
is a free quiz game platform. Students play your quiz games on their
laptops or tablets by going to the Quizalize website then entering
their names and a class code. Students are awarded points for
correctly answering questions quickly. Students are given feedback
instantly on every quiz question that they answer. A total score is
presented to students at the end of every quiz. Creating quizzes on
Quizalize is a simple process. To get started just name your quiz
and tag it with a subject label. As you write each quiz question you
can include a picture and up to four answer choices. You can specify
a time limit of 5 to 120 seconds for each question. Quizalize
offers a marketplace in which you can find quizzes created by other
users. Some of the quizzes are free and others are sold for a dollar
or two. To be clear, creating and playing your own quizzes is
completely free.

Triventy:

Triventy
uses a concept that is similar to Kahoot. To play a Triventy quiz
game the teacher projects the game questions at the front of the room
and students answer the questions on their mobile devices or laptops.
Points are awarded for answering correctly. Bonus points are
awarded for answering quickly. Students join the quiz game by going
to Triv.in and entering the game pin assigned to your game.

… President Obama delivered his final State of
the Union address Tuesday evening . “Education”
showed up several times in the speech, including the idea that every
students need to learn to “write
computer code.”

… Via
The Hill: “House Oversight Committee Chairman Jason Chaffetz
(R-Utah) is warning that a hack on the Department of Education would
dwarf last year’s massive breach at the Office of Personnel
Management. ‘Almost half of America's records are sitting at the
Department of Education,’ Chaffetz said at a Brookings Institution
event on Thursday. ‘I think ultimately that’s going to be the
largest data breach that we've ever seen in the history of our
nation.’”

… “Bronx Science Bans Cellphones From Wi-Fi
as Students Devour It,” says
The New York Times. [Potentially
dangerous Bob]

… Tech and business training company General
Assembly is expanding
to Denver.

… “Oral Roberts University is now requiring
all freshmen to wear tracking devices to monitor their physical
activity,” News
on 6 reports. “It appears as though school staff and
instructors will be able to access the fitness tracking information
gathered by the students’ devices. ‘The Fitbit trackers will
feed into the D2L gradebook, automatically logging aerobics points,’”
according to the university’s website.

… The
opening paragraphs from Education Week’s look at “the future of
big data and analytics” in education: “Imagine classrooms
outfitted with cameras that run constantly, capturing each child’s
every facial expression, fidget, and social interaction, every day,
all year long. Then imagine on the ceilings of those rooms infrared
cameras, documenting the objects that every student touches
throughout the day, and microphones, recording every word that each
person utters. Picture now the children themselves wearing
Fitbit-like devices that track everything from their heart rates to
their time between meals.” Imagine.

… Via
The Washington Post: “The U.S. Education Department’s new
planned system of records that will collect detailed data on
thousands of students – and transfer records to private contractors
– is being slammed by experts who say there are not adequate
privacy safeguards embedded in the project.”

Friday, January 15, 2016

Following
an investigation into a breach
of its payment processing systems, Chicago-based hotel operator Hyatt
Hotels has determined that the incident affects 250 hotels worldwide.

According
to the company, the investigation revealed
unauthorized access to data associated with payment cards used at
Hyatt-managed locations, mainly restaurants, between August 13, 2015
and December 8, 2015.

… Customers
for whom Hyatt does not have any contact information are advised to
check the list
of affected hotels to determine if they are impacted.

… “Though
it is common to see malware capture credit cards at the time of the
swipe, in this instance, the
malware collected card data while it was being routed through the
affected payment processing systems,
according to Hyatt’s statement,” said Brad Cyprus, chief of
security and compliance at Netsurion, a provider of remotely-managed
security services for multi-location businesses.

I
would have expected attacks to drop like the price of oil. (Unless
of course you are trying to slow production to raise prices.)

According
to the study,
which was conducted by Dimensional Research in November 2015, 82
percent of oil and gas industry respondents said their organizations
registered an increase in successful
cyber-attacks over the past 12 months. Moreover, 53 percent of the
respondents said that the rate of cyber-attacks has increased between
50 and 100 percent over the past month.

… The
report also reveals that 69 percent of respondents said they were
“not confident” in their organizations’ ability to detect all
cyber-attacks.

Sad to see that this still happens. Does no one
know how the technology they use every day works?

Earlier this week, Jigsaw Security noted
that they had discovered that improper redaction of documents posted
on the Virginia Dept of
Human Resource Management website was potentially
exposing employees’ personal information:

A PDF posted by this organization
contained information that was obfuscated by blocks but was a layered
image so if you edit the document the blocks can be removed and the
original content is then visible.

The Jigsaw Security Operations Center
sent a standard notification advising them of the issue but they have
failed to respond to the request.

Because there were many improperly redacted files
putting employees’ SSN, salary, and other details at risk, Jigsaw
reached out to DataBreaches.net to help with the notification. On
January 12, this site sent a notification to the same DHRM liaison
that Jigsaw had attempted to notify, but also contacted DHRM’s
media contact to ask for a statement. When there was no
response from either party, this site sent a second
request to their media contact. That one got their attention, and
they asked me for my real name and documentation. I sent them a link
to Jigsaw’s post and offered to send them screenshots showing
unmasked employee information. I also told them I would delay
publication to give them a chance to remove the files from view.

That seemed to produce results. DHRM thanked me
for reaching out to them and the next day, they informed this site
that DHRM was addressing the security concern by:

Removal of the
referenced documents and links from DHRM’s servers so that data is
no longer exposed that might impact employee privacy and security;

Software that
has proper redacting capability was being supplied to users; and

Staff training was introduced to ensure
that no lapses will occur in the future.

DHRM’s ITECH director and security officer also
reached out to Jigsaw Security, who provided DHRM with additional
assistance with the issue and also provided them with information
about other vulnerabilities the intel firm had spotted. Hopefully,
DHRM is addressing those issues, too.

And thus ends another adventure in trying to
notify entities of security problems. But it shouldn’t be
difficult to notify state agencies of security problems. Hopefully,
DHRM is addressing that, too, so the next time a white hat tries to
alert them to a problem, they get the notification.

….As described in this FERPA
directory information model form, “Directory information, which
is information that is generally not considered harmful or an
invasion of privacy if released, can also be disclosed to outside
organizations without a parent’s prior written consent.”

The list of information included as part
of directory information – or “information that is generally not
considered harmful or an invasion of privacy if released” – is
pretty complete:

Student’s name

Address

Telephone listing

Electronic mail address

Photograph

Date and place of birth

Major field of study

Dates of attendance

Grade level

Participation in officially recognized activities and sports

Weight and height of members of athletic teams

Degrees, honors, and awards received

The most recent educational agency or institution attended

Student ID number, user ID, or other unique personal identifier used
to communicate in electronic systems

A
student ID number or other unique personal identifier that is
displayed on a student ID badge

If this information was compromised as part of a data breach, it
would be considered substantial – yet, this information about
children can be shared without parental consent, for their entire K12
experience.

Note that if these data are breached, if
student ID is not SSN, then many states would not even require breach
notification under their statutes. And we know that the U.S.
Education Dept. has never withheld federal funds from any k-12
institution over a breach.

Consequences for breaches at the post-secondary
level can be more costly for universities and colleges who may find
themselves sued (generally unsuccessfully), but again, federal
enforcement is lacking: USED does nothing and FTC has no authority
other than enforcing the Safeguards Rule if financial information is
involved – an authority it seemingly declined to use in the case of
the massive MCCCD breach that I reported on DataBreaches.net.

If student privacy is to be truly protected, it’s
time to revise FERPA to make sharing of “directory” information
opt-in, not opt-out. And it’s time to recognize that Google is not
a school official – it’s a vendor that is not in business to be
charitable. There is no such thing as a free lunch when it comes to
student data and tech.

Does Facebook have to drop the people who signed
up because of this? Being aggressive had benefits that this court
can't reverse.

Germany’s highest court has declared
unlawful a feature that encourages Facebook users to market the
social media network to their contacts, confirming the rulings of two
lower courts.

A panel of the Federal Court of Justice
ruled that Facebook’s “friend finder” promotional feature
constituted advertising harassment in a case that was filed in 2010
by the Federation of German Consumer Organisations (VZBV).

Transportation Secretary Anthony Foxx was in
Detroit on Thursday to
announce that the administration will request
close to $4 billion over ten years to "accelerate the
development and adoption of safe vehicle automation through
real-world pilot projects." The testing would take place in
certain areas of the country, according to a release, and the program
would "work with industry leaders to ensure a common multistate
framework for connected and autonomous vehicles."

… The National Highway Traffic Safety
Administration also rolled out new
policy guidance on autonomous vehicles, which included
a commitment to produce policy guidelines within six
months for states grappling with how to regulate self-driving cars.

… California's Department of Motor Vehicles
recently released draft regulations that would require a licensed
human driver behind the wheel of every autonomous vehicle.

… On Thursday, the embattled Internet company
said it would release the largest cache of Internet behavior data—the
clicks, hovers and scrolls of some 20 million anonymous users on
Yahoo’s sports, finance, news, real estate and other pages. The
trove, which will be available
only to universities, is expected to give researchers a
rare, real-world look at how large numbers of people behave online.

… The Yahoo data set weighs in at 13.5
terabytes, about two-thirds
the size of the library of Congress.

That is larger than anything available to the vast
majority of academic computer scientists, and so big that it likely
will have to be stored outside a university system, possibly in a
cloud computing center run by Amazon.com Inc. or Alphabet
Inc.’s Google, said
Carnegie’s Moore, a former Google executive.

In doing so, Yahoo also released
information that could potentially be used by researchers who
download the database—and anyone they share it with—to identify
Yahoo customers.

The
behemoth dataset consists of 13.5 terabytes of user interactions
with news items from some 20 million users, which the company says
have been “anonymized.” While there are no names attached to the
data, seven million users in the database also had information about
their age, gender, the city they were in when they accessed the page,
whether they used a mobile device or a desktop, and a timestamp of
when they accessed the news item, included in the dataset.

The Goldman Sachs Group Inc. (GS)
said Thursday that it agreed to a $5.1 billion settlement to resolve
U.S. and state claims related to securitization, underwriting and
sale of residential mortgage-backed securities from 2005 to 2007.
The agreement in principle will reduce earnings for the fourth
quarter of 2015 by about $1.5 billion on an after-tax basis.

… As per the terms of the agreement in
principle, the firm will pay a $2.385 billion civil monetary penalty,
make $875 million in cash payments and provide $1.8 billion in
consumer relief. [Leaving
400 million for the lawyers? Bob]

A significant economic development? Certainly an
opportunity, if we can learn from Bitcoin's failures.

From the start, I’ve always
said the same thing: Bitcoin is an experiment and like all
experiments, it can fail. So don’t invest what you can’t afford
to lose. I’ve
said this in interviews, on stage at conferences, and over email.
So have other well known developers like Gavin Andresen and Jeff
Garzik.

But despite knowing that
Bitcoin could fail all along, the now inescapable conclusion that it
has failed still saddens me greatly. The fundamentals are
broken and whatever happens to the price in the short term, the long
term trend should probably be downwards. I will no longer be taking
part in Bitcoin development and have sold all my coins.

“There's an App (or website or social network or
...) for every purpose under heaven.” (apologies to Pete Seeger)

Ostensibly the request is to quell sex
trafficking, despite that fact that sex
trafficking is a relatively minor problem in the United States.
To be sure, there are certainly instances of the illicit sex trade
taking place in the nation, but the numbers have been vastly
overinflated to the point
of being meaningless. Sadly, all it takes to allow citizens’
rights to be eroded is to stoke fears and play on their emotions, as
we have seen recently with attempts at gun control and the war on
terror.

DHS is asking hotel staffs to report
guests who have “many” condoms in their garbage (whatever that
means), rooms that smell like cigarettes, and even tattoos that are
“unusual.” Those are just a few of the highlights from the list
of 18
items and behaviors to look out for, almost all of which could be
considered normal behavior for anybody who doesn’t live
in Pleasantville.

A survey of students’ carnal knowledge
sparked a national controversy Tuesday — and led to an apology from
the University of Southern California.

The clash was over a mandatory online
class that asked students to tally and reveal the
number of sex partners they had been with over the last three months,
multiple students confirmed to the Daily News.

The course grew out of a federal mandate
to address sexual assault on campus and was a prerequisite for all
incoming and continuing students at USC, an email to undergrad Jacob
Ellenhorn said.

And if this story is triggering deja vu for you,
yes, I reported on exactly
the same problem back in 2014 when a South Carolina university
also had this as part of their Title IX compliance.

[From
the article:

"It said it was anonymous, but at the same
time, they were keeping track of whether I was answering or not,
because I wouldn't be able to take classes or graduate without
completing it," he told The News.

In late 2013, Yahoo was hit with six lawsuits over
its practice of using automated scans of e-mail to produce targeted
ads. The cases, which were consolidated in federal court, all argued
that the privacy rights of non-Yahoo users, who "did not consent
to Yahoo's interception and scanning of their emails," were
being violated by a multi-billion dollar company.

Now, lawyers representing the plaintiffs are
singing a different tune. Last week, they asked US District Judge
Lucy Koh to
accept a proposed settlement (PDF). Under the proposal, the
massive class of non-Yahoo users won't get any payment, but the class
lawyers at Girard Gibbs and Kaplan Fox intend to ask for up to $4
million in fees. (The ultimate amount of fees will be up to the
judge, but Yahoo has agreed not to oppose any fee request up to $4
million.)

While users won't get any payment, Yahoo will
change how it handles user e-mails—but it isn't the change that the
plaintiffs attorneys were originally asking for. Yahoo won't stop
scanning e-mails. Instead, the company has agreed to make a
technical change to when it scans e-mails. In the
settlement
(PDF), Yahoo has agreed that e-mail content will be "only
sent to servers for analysis for advertising purposes after a Yahoo
Mail user can access the email in his or her inbox." [That
does not seem to be much of a change. Bob]

… A new Pew Research Center report
found that many people in America are upset about the extent to which
their personal data is being collected, but feel it is largely out of
their control.

“The data is there, and it’s being used, and
there isn’t a damn thing most of us can do about it, other than
strongly resent it,” one respondent told Pew. “The data isn’t
really the problem. It’s who gets to see and use that data that
creates problems. It’s too late to put that genie back in the
bottle.”

… “Free is a good price,” Pew said in its
report. People like no-cost services, and are willing to forfeit
some privacy in exchange for them. An individual’s data has become
its own kind of currency.

Recently, Orin Kerr and I had a brief conversation
on Twitter regarding the Fourth Amendment and the content/non-content
distinction. Specifically, Orin asked
those of us who subscribe to the mosaic theory of intelligence if
some large amount of metadata can become content, can some small
amount of content become metadata by the same logic? That is, if
non-content in sufficient quantities can become content under the
Fourth Amendment, shouldn’t the inverse of this function mean that
sufficiently small amounts of content can become non-content?
(Remember that content receives great constitutional protection than
non-content.) There is a fair amount of unpacking to do in this
short question, so let’s start by exploring the mosaic theory as it
applies to Fourth Amendment law.

A recent InfoStor
article called Cloud
Storage Comparison covered Gartner’s view of the public
marketplace and gave a rundown of the top three players, Google,
Microsoft and Amazon. Gartner – surprising no one – places
Amazon in top the spot.

President Barack Obama’s administration, citing
concern about the origin of funds used for all-cash purchases of
luxury real estate, said it is stepping
up scrutiny of transactions in New York City and Miami.

The Financial Crimes Enforcement Network said on
Wednesday that it will temporarily require title insurance companies
to identify individuals behind companies that pay cash for high-end
residential real estate in Manhattan and Miami-Dade County.

Skype today announced
that its Skype Translator tool is now built directly into its main
app for all Windows users. This means Skype for Windows users no
longer need a separate app to translate conversations in seven
languages (Chinese Mandarin, English, French, German, Italian,
Portuguese, and Spanish) and 50
messaging languages.

Dutch investigators have confirmed to Motherboard
that they are able to read encrypted messages sent on PGP BlackBerry
phones—custom, security-focused BlackBerry devices that come
complete with an encrypted email feature, and which reportedly may be
used by organized criminal groups.

“We are capable of obtaining encrypted data from
BlackBerry PGP devices,” Tuscha Essed, a press officer from the
Netherlands Forensic Institute (NFI), told Motherboard in an email.
The NFI is a body that assists law enforcement in forensic evidence
retrieval, and which, according
to its website, deals with most of the forensic investigations in
criminal cases in the Netherlands.

… Very little information is available
regarding the specific technique that the NFI use to access encrypted
communications on custom BlackBerrys.

The Crime News report says that out of 325
encrypted emails recovered from a device, only 279 were deciphered,
and that the workaround is only
applicable when law enforcement have physical access to the device.

Claims by the Netherlands Forensic
Institute (NFI) that it has successfully decrypted emails stored on
BlackBerry smartphones have caused bafflement at the Canadian firm.

Documents seen
by Dutch blog Crime News show the NFI claiming to have decrypted 275
out of 325 emails encrypted with PGP from a handset in their
possession. The NFI reportedly
used software from Israeli firm Cellebrite to crack the encryption.

The French Parliament is considering a
legislative provision that would ban strong encryption
by requiring tech companies to configure their systems so that police
and intelligence agencies could always access their data.

The amendment to the vast “Digital
Republic” bill was introduced in the French National Assembly,
parliament’s lower house, by eighteen politicians from the
conservative Republican Party.

Muslim
professor blocked from game because his name was on US blacklist

Epic Games
has apologised after mistakenly barring an American professor from
playing its online game Paragon because someone who has the same name
as him was on a US government blacklist.

Muhammad Zakir Khan, an assistant professor at
Florida’s Broward College, had tried to sign
up for the beta of first-person shooter Paragon, a multiplayer
game inspired by esports hits such as Dota2. But instead of being
given an account for the game, Khan was hit with an unusual error
message.

“Your account creation has been blocked as a
result of a match against the Specially Designated Nationals list
maintained by the United States of America’s Office of Foreign
Assets Control,” the message read, before advising Khan to email
Epic’s customer service.

The Specially
Designated Nationals list is a
little-known blacklist produced by the US government as
part of its enforcement of economic sanctions against nations such as
Iran, Syria and Russian-controlled Crimea, in order to help companies
avoid accidentally doing business with high-profile citizens of, or
corporations controlled by, those blocked nations.

… Khan tweeted his issue to Epic Games, with
the hashtag #iamnotaterrorist. In a reply, Tim Sweeney, the founder
of the company, apologised, and said that the ban was a result of
errors on top of errors. Not only should Khan’s name not have
matched against the list at all, a simple name match shouldn’t have
been enough to spark a block.

What’s more, the filter wasn’t supposed to
have even been applied to the simple consumer-level ability to sign
up to the beta for Paragon. Instead, Sweeney
explained, it was intended to control access to Epic’s game
creation tools – built around the Unreal
Engine – for large commercial projects. The
company had re-used the code without considering how it would work
with orders of magnitude more names running through it.

Khan tweeted
that he was thankful for Sweeney’s apology, but added
that despite it, he was still concerned by the issues it raised.

“First, the fact that the problem existed in the
first place frustrates me. Someone designed Epic’s system without
thinking of its impacts. Second, someone overseeing said system
being put into place didn’t provide oversight of said system.
Thus, they were careless and sloppy. Third, if they had just taken a
moment to think about what they had done they could realise how
hurtful it could be for someone.

Many consumer-grade Internet of Things (IoT)
products, such as Wi-Fi security web cameras, include security flaws
that allow attackers to reprogram them and use them as persistent
backdoors, Vectra Networks warns.

According to the security firm, which focuses on
detection of cyber-attacks, insecure IoT devices enable potential
attackers to remotely command and control an attack while avoiding
detection from traditional security products. By turning an IoT
device into a backdoor, attackers gain 24x7 access to an
organization’s network without infecting a laptop, workstation or
server, which are usually protected by firewalls, intrusion
prevention systems and antivirus software.

… The
researchers explain in a blog
post that the reprogramming process started with taking the
camera apart and dumping the content of the flash memory chip on the
PCB (printed circuit board) for further analysis.

… As
Rafal Los, director of solutions research and development within the
Office of the CISO for Optiv, explains
in a SecurityWeek column, many of these IoT devices (even secured
and not hacked) are always-on, always connected, which could pose a
privacy risk to end-users and a security risk to companies, if they
are brought at the office. After all, companies might not have a
policy for bringing IoT devices, although they might have BYOD
policies in place.

In
November 2015, security researchers presented at the DefCamp
conference in Bucharest the findings of a study on the firmware of
IoT devices, explaining that such firmware images are often
susceptible
to multiple security flaws because
manufacturers do not properly test them
for security flaws. Also in November, IT security consultancy SEC
Consult revealed that millions of IoT devices use the same
cryptographic secrets, which expose
them to various malicious attacks.

Interesting hypothetical. What if the
“instructions” are actually a review of a video game?

Suppose a laptop were found at the apartment of
one of the perpetrators of last year’s Paris attacks. It’s
searched by the authorities pursuant to a warrant, and they find a
file on the laptop that’s a set of instructions for carrying out
the attacks.

The discovery would surely help in the prosecution
of the laptop’s owner, tying him to the crime. But a junior
prosecutor has a further idea. The private document was likely
shared among other conspirators, some of whom are still on the run or
unknown entirely. Surely Google has the ability to run a search of
all Gmail inboxes, outboxes, and message drafts folders, plus Google
Drive cloud storage, to see if any of its 900 million users are
currently in possession of that exact document. If Google could be
persuaded or ordered to run the search, it could generate a list of
only those Google accounts possessing the precise file — and all
other Google users would remain undisturbed, except for the briefest
of computerized “touches” on their accounts to see if the file
reposed there.

A list of users with the document would spark
further investigation of those accounts to help identify whether
their owners had a role in the attacks — all according to the law,
with a round of warrants obtained from the probable cause arising
from possessing the suspect document.

I can't tell you how many times my students have
suggested my next destination. “Professor, you can go to ...”

… Among a few other updates in Maps v9.19
spotted by Android
Police, Google has introduced a new ‘Driving Mode’.
While you’re driving around town without a destination dialed in,
Google will use your frequent locations and search history to come up
with a predicted destination, and then push traffic information or
news about road closures as you’re driving, so you can adjust the
route as you see fit.

Twitter Inc shares closed at an all-time low
Monday and company is looking for anything to help bring its stock
back to prominence, even integrating Periscope, the live streaming
video service, into your timeline.

… Beginning Tuesday, some mobile users will be
able to watch
live broadcasts within the Twitter timeline. As the new feature
enhances the real-time capabilities of the social network, Periscope,
which was purchased early last year, could be introduced to millions
of new users.

… iOS users can only take advantage of the
Periscope integration. Users can watch live broadcasts and replay
old broadcasts until they expire.

Perspective. Even if there is an App for that
(and there is) it doesn't do us phoneless folks any good!

… Said simply: The older Americans get, the
less likely they are to be holding a smartphone. About a quarter of
the U.S. population over 65 doesn’t have a smartphone, and that is
rather unevenly distributed (many 65-year-olds, particularly those
still in the workforce, are avid smartphone users) among the age
cohort.

But Lyft, as a disruptive innovator that never met
a citizen it didn’t think it could give a ride to, is not about to
let the small issue of lack of enabling technology stand in the way
of seniors on the go. The ridesharing service has announced a
partnership with National
MedTrans Network that will provide seniors in New York City a way
to access Lyft for non-emergency medical appointments, even if they
don’t have a smartphone they call their own.

Yeah, I ain't buying it. There is something else
going on here. Call up a map of the Gulf. Draw a line from
easternmost Kuwait to easternmost Bahrain. Note that the lone comes
no closer to Farsi Island than roughly 20 miles. Even if one boat
had mechanical problems (Both engines?) the other boat should have
been able to tow it. So what really happened? GPS was down? The
Navy can't read a compass? Something sounds fishy.

… The American sailors were aboard two
riverine patrol boats — 38-foot, high-speed boats that are used to
patrol rivers and littoral waters. One official said the two
vessels, which often patrol shallow waters near Bahrain, had failed
to make a scheduled meeting with a larger ship to refuel.

The Federal Communications Commission might be
deliberately withholding public records, according to a
Republican-led report released this week.

The House Oversight and Government Reform
Committee report concluded that the
FCC's is either incompetent or intentionally misused redactions
under the Freedom of Information Act to withhold internal
communication about its controversial Internet regulations.

… The conclusion was reached in a
40-page report that concluded the open records process
is broken within the broader federal government. About a quarter of
the report was dedicated to side-by-side comparisons of FCC
documents, which were redacted when sent to journalists but provided
in full to the committee.

Actually, zip guns are easy. It used to be that
the bottom section of telescoping car antennas was almost exactly .22
caliber.

Individuals have been fashioning homemade firearms
for as long as guns have existed. Zip guns, crude but functional
weapons often made from taped-together pieces of pipe and rubber
bands, were particularly popular in the 1940s and 1950s.

… For instance, it’s not illegal to print
your own gun for personal use, but there are rules
about selling homemade guns, and restrictions on what materials can
be used when you make them. All-plastic
guns, undetectable by weapon-screening scanners, are prohibited.
One of the more alarming prospects of a world in which 3-D printing
might be widely used for home gun-making is not just that firearms
might be built to slip through metal detectors, but that the guns
would’t be traceable at all. There would be no official serial
numbers, no records of ownership, nothing.

When we understand gravity we may be able to
generate it – or generate anti-gravity. If that is so, then we can
go to the stars.

This morning, the
Internet erupted with rumors
that physicists have finally observed gravitational waves; ripples in
the fabric of spacetime predicted by Albert Einstein a century ago.
While it isn’t the first time we’ve heard excited whispers about
the elusive phenomena, the gossip feels more promising in light of
the recently upgraded detector at the Laser Interferometer
Gravitational Wave Observatory (LIGO) that’s behind all the hubbub.

Highbrow
is a neat service that delivers short courses to your email inbox in
bite-size chunks. When the service launched last year the course
offerings were fairly limited. I took another look at the site today
and noticed that course catalog has expanded. You will now find
courses in history, logic, science, and art. There are also courses
designed to help you improve your health and your productivity
habits.

The idea behind Highbrow is to provide you with
one short (5-10 minutes) lesson per day for your chosen course.
Lessons are delivered in the form of videos, images, and text.
Courses contain 10 to 20 lessons.

Highbrow
allows you to create your own courses that people can subscribe to.
Using Highbrow might be a good way to deliver to students a course on
studying habits, test-taking skills, or content to supplement your
in-person instruction.

… The book digs into how to use the iPad for
productivity-related tasks. It also covers things like syncing the
iPad so you can use it at work and home, backing up data, and other
basic tasks that will help you make the most of the iPad as a useful
tool.

A lot of the stuff in this book is about teaching
you to use your iPad
for things you’d traditionally turn to a computer for. Tasks like
working with spreadsheets, enterprise-level word processing, task
management, graphic design, communication, and much more are covered
in-depth.

Not only does it go over how to actually get these
things done, but it also breaks down the best apps for actually doing
everything.

… To redeem your copy and download the free
eBook, just head over to this
page and sign up for a free account. The process
will take just a few seconds, and then you will be sent an email with
a link to download a free copy.

Everyone Is
Freaking Out About The $1.5 Billion Powerball, And The Stats Agree

… In all the trajectories of the model we’re
playing around with, there’s a ballpark 95 percent chance someone
wins this.

Here’s where we stand: based on the old forecast
— the
one we used for Friday’s estimate — we’d estimate about
1.008 billion tickets will be sold for Wednesday’s jackpot. Based
on that number — which is totally unprecedented and based on far
too much extrapolation, keep in mind — we’d estimate a 97
percent chance of at least one winner on Wednesday’s drawing.

Tuesday, January 12, 2016

Germany’s BND intelligence agency has
resumed joint internet surveillance with the U.S. National Security
Agency (NSA) after halting collaboration with Washington last year
following a row over spying practices, German media reported.

The Department of Education is primed for
a large data breach that could eclipse the one experienced by the
Office of Personnel and Management (OPM), House Oversight Committee
Chairman Jason Chaffetz (R-Utah) said last week at a Brookings
Institute function.

With its rich set of data, including 139
million Social Security numbers and information on 40 million
students who’ve taken out federal loans, and an
“F” rating by the Inspector General based on the criteria
established under the Federal Technology Acquisition Reform Act
(FITARA), a breach at the agency could be more devastating than
OPM’s.

… Specific
malicious payloads, URLs and IP addresses are so ephemeral that they
may only be used once in the case of a true targeted attack. The
2015
Verizon Data Breach Investigation Report
(PDF)
illustrates this in stark detail.

The
Verizon report found that 70-90%
of malware used in breaches were unique to the organization that was
infected.
Clearly, if a threat is only used once, faster signatures alone
aren’t going to solve the problem.

Remove
a slice of the market, reduce the need to supply it? No. Just
ignore all those Jihadists with obviously phony IDs.

New figures show that the number of
identification theft investigations collapsed by 30 percent in
California after a program allowing illegal aliens to apply for
driver’s licenses was implemented in 2015, according
to a FOIA request obtained by The Daily Caller News Foundation.

Breitbart News reported
in late January 2015 that the California
Department of Motor Vehicles (DMV) told investigators to ignore cases
alleging identity thefts committed by illegal aliens who were
applying for drivers’ licenses under a new program. An
anonymous DMV source provided Breitbart with internal documents
revealing the policy.

A data breach by militia at the Malheur
Wildlife National Refuge has led the US
Fish and Wildlife Service to ask
some of its employees to relocate from their homes until
the situation is resolved, sources told KOIN 6 News.

The
new way police are surveilling you: Calculating your threat ‘score’

… As
a national debate has played out over mass surveillance by the
National Security Agency, a new generation of technology such as the
Beware software being used in Fresno has given local law enforcement
officers unprecedented power to peer into the lives of citizens.

Police officials say such tools can provide
critical information that can help uncover terrorists or thwart mass
shootings, ensure the safety of officers and the public, find
suspects, and crack open cases. They
say that last year’s attacks in Paris and San Bernardino, Calif.,
have only underscored the need for such measures. [Yet
nothing in the article addresses prevention of crime. Bob]

A local activist has won an important
intermediary step in his legal quest to force the Chicago Police
Department (CPD) to produce documents that fully explain the
department’s use of cell-site simulators, also known as IMSI
catchers.

Computer
scientists at the University of Pennsylvania have developed an
algorithmic framework for conducting targeted surveillance of
individuals within social networks while protecting the privacy of
“untargeted” digital bystanders. As
they explain in this week’s Proceedings of the National Academy of
Sciences (PNAS), the tools could facilitate counterterrorism
efforts and infectious disease tracking while being “provably
privacy-preserving”—having your anonymous cake and eating it too.

My
privacy is worth more to me than yours is. At least, that seems to
be the findings of a new study by Penn State researchers. Alexa Lewis
reports:

On Dec. 14, a team of Penn State
researchers reported at the International Conference on Information
Systems in Fort Worth, Texas, that people are more concerned about
sharing their own personal information with third-party app
developers than they are about sharing their friends’ information.

The problem, Grossklags said, is known as
interdependent privacy. It means that the privacy of individual
consumers depends not only on their own online decisions, but the
decisions of their friends.

[…]

According to a Penn State press release,
the researchers found that participants valued data in their own
social media profiles at $2.31 and valued their friend’s social
media data at $1.56, when the information was irrelevant to the app’s
function. When the data was necessary for the app’s function, the
economic value of their own data dropped by $.27, but the value of
their friends’ data dropped by $.58.

… It’s called the “Elo score,” a term
used in chess to rank player skill levels. In short, the ranking
system helps the company facilitate matches based on score
compatibility. So if you’re really desirable, you have a better
chance of ending up with another really desirable person. And if
you’re not so desirable, then tough luck.

This all sounds like it’s connecting hotties
with hotties, right? According to Tinder CEO Sean Rad, wrong. He
emphasizes the rating isn’t really just a measure of
attractiveness.

… "It’s not just how many people swipe
right on you," Rad said. "It’s very complicated.

It took us two and a half months just to build the
algorithm because a lot of factors go into it."

… It might seem a little questionable at
first, but it makes sense that a dating app has some sort of internal
rating system, and it would be no surprise if other dating apps had
similar tools. Dating apps do actually want to get their users to
match. That’s why, for example, OkCupid makes you answer a whole
bunch of questions and shares your compatibility percentage with
other users.

Help me out here. If I want to browse the data my
Texas employer has on Donald Trump's mental health, just for my own
amusement, that's Okay?

“”The rise of political-science public
engagement has been so massive and rapid that it is paradoxically
easy to miss,” writes Marc Lynch, a Middle East specialist at
George Washington University and a regular blogger for the Cage, in a
forthcoming article for Perspectives on Politics. “A
decade ago, very few political scientists had either the opportunity
or the incentive to engage with the political public in a direct,
unmediated way.” Engagement has gone from “something exotic to
something utterly routine.” In fact, while the top blogs were
initially popular as rare outlets for scholars to reach a broader
public, they’re now popular, Lynch writes, as curators of “a
deluge of analysis, information, and argument.”

Perspective. Free is good! But not everyone
knows how to get “Free” or what to do with it once it is in hand.
Isn't that a marketing problem? Are the other 34 countries
successful?

Facebook
Tried To Give Everyone In Egypt The Internet — It Didn’t Work

Only two months after it launched, one of
Facebook’s flagship programs for free internet was abruptly
canceled. Egyptian officials say was a licensing issue, but others
say it was part of a widening crackdown by Egyptian authorities.

… But since Free Basics launched in late 2015
to in
36 countries, Facebook has faced problems in two of its biggest
markets — Egypt and India — along with criticism that it provides
a limited service only through the select partners that meet its
technological requirements. In India, the program has become subject
to a regulatory
battle, with detractors arguing that the initiative favors
certain apps and sources of information over others. In Egypt, the
program was quietly shut down on Dec. 30, just two months after it
was launched. It was, said many Egyptians, perhaps not as easy to
bring the internet to Egypt as Zuckerberg expected.

… “There was no advertisement of this
program in Egypt, no one knew about it,” said Mohammed, in a
sentiment echoed by several other Egyptians interviewed by BuzzFeed
News in Cairo.

… “Egypt will stop every website, they will
kick everyone off Facebook, if it means they will stop another
revolution from happening,” one activist told BuzzFeed News by
phone. He asked to remain anonymous due to the arrests of several of
his friends in recent years. “They took the whole country offline
in 2011, why doesn’t the world think they would do it again?

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.